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Abstract — In this paper, we examine a class 
of block ciphers referred to as substitution- 
permutation networks or SPNs. We assert 
that the basic SPN architecture can be used 
to provide an efficient implementation of a 
secure block cipher if the system S-boxes are 
carefully selected and connected with an ap- 
propriate linear transformation. Specifically, 
it is shown that 8x8 S-boxes which pos- 
sess good diffusion and nonlinearity proper- 
ties may be effectively used as components of 
a secure block cipher. As well, it is demon- 
strated that the cipher may be strengthened 
by replacing the permutation of bits between 
S-box rounds with a diffusive linear trans- 
formation. 

I. Introduction 

Since its introduction in 1977, the Data Encryp- 
tion Standard (DES) [1] has become the most 
widely applied private key block cipher. Re- 
cently, a hardware design to effectively break 
DES using exhaustive search was outlined by 
Wiener [2], Unfortunately, since the DES de- 
sign principles have never been fully disclosed, 
it is not generally known how to efficiently 
modify the DES algorithm to allow for dif- 
ferent block or key sizes. This suggests that 
there is a need to replace DES with a secure, 
flexible block cipher whose design is well un- 
derstood. In this paper, we contribute to the 
achievement of this objective by examining a 



simple, yet elegant class of block ciphers re- 
ferred to as substitution-permutation networks 
or SPNs. 

Feistel [3] [4] was the first to suggest that an 
SPN architecture consisting of rounds of nonlin- 
ear substitutions (S-boxes) connected by bit po- 
sition permutations was a simple, effective im- 
plementation of Shannon's concept of a "mix- 
ing transformation" based on the principles of 
"confusion" and "diffusion" [5], Many modem 
block ciphers, including DES, PEAL [6], and 
LOKI [7], while deviating from Feistel's basic 
SPN model, are based on Shannon's fundamen- 
tal concepts. 

In this paper, we show that appropriately se- 
lected S-boxes and S-box interconnection trans- 
formations can be used to increase a cipher's re- 
sistance to differential [8] and linear cryptanal- 
ysis [9] and are also effective in improving a ci- 
pher's adherence to the important cryptographic 
property referred to as the strict avalanche crite- 
rion (SAC) [10]. In particular, we examine the 
use of large 8x8 S-boxes that are selected to 
provide strong diffusion and nonlinearity char- 
acteristics and we analyze the effectiveness of a 
novel application of linear transformations be- 
tween rounds of S-boxes. 

II. Background 

We shall consider a general A'^-bit SPN as con- 
sisting of R rounds of n x n S-boxes. The plain- 
text and ciphertext are iV-bit vectors denoted as 
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P = [Pi P2 ... Pn] and C = [Ci C2 ... Cyv], re- 
spectively. An S-box in the network is defined 
as an n-bit bijective mapping S. A simple ex- 
ample of an SPN is illustrated in Figure 1. 

In general, S-boxes may be keyed by (1) us- 
ing key bits to select which mappings are used 
for the S-boxes or (2) XORing key bits with 
network bits prior to entering the S-boxes. We 
shall assume in our discussion that the network 
is keyed by XORing bits of key (as deter- 
mined by the key scheduling algorithm) before 
each round and after the last round of substitu- 
tions. Decryption is performed by rurming the 
data backwards through the network (i.e., ap- 
plying the key scheduling algorithm in reverse 
and using the inverse S-boxes). 

Rather than strictly confining ourselves to the 
basic form of S-boxes connected by a bit posi- 
tion permutation, in this paper we consider the 
more general model of S-boxes connected by 
invertible linear transformations. However, for 
consistency, we still refer to the more general 
architecture as an SPN. 



III. Important Cryptographic 
Properties 

In general, we consider that cryptographic prop- 
erties may be categorized as either static or dy- 
namic. Static properties encompass the relation- 
ships among plaintext, ciphertext, and key bits 
when the plaintext or key bits are not changing; 
dynamic properties refer to the relationships of 
plaintext, ciphertext, and key bit changes when 
a subset of plaintext or key bits are changed. 

Important static properties include: 

(SI) completeness [11] 

• each ciphertext bit is a ftinction of all 
plaintext and key bits 



plaintext 
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ciphertext 

Figure 1. SPN with N=16,R = 4:, and n = 4 

(52) nonlinearity [12] 

• each ciphertext bit has low correlation to 
a linear system equation 

(53) static information theoretic properties [13] 

• partial knowledge of plaintext/key bits 
does not reveal any information about the 
ciphertext 

Important dynamic properties include: 
(Dl) strict avalanche criterion (SAC) [10] 

• a one bit plaintext/key change causes each 
ciphertext bit to change with a probability 
of 1/2 

(D2) low probability differential characteristics 
[8] 

• occurrence of a particular sequence of 
XOR differential pairs corresponding to 
each round is unlikely 
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(D3) dynamic information theoretic properties 
[13] 

• partial knowledge of plaintext/key bit 
changes does not reveal any information 
about the ciphertext bit changes 

The strict avalanche criterion and information 
theoretic properties — properties S3, Dl, and 
D3 — can be considered as measures of a ci- 
pher's randomness and, hence, it*s resistance to 
certain kinds of statistical attacks. For example, 
it can be shown that systems which do not sat- 
isfy SAC for key bit changes may be susceptible 
to key clustering attacks [14], The remaining 
properties — SI, S2, D2 — are required to en- 
sure immunity to clustering attacks [15], linear 
cryptanalysis [9], and differential cryptanalysis 
[8]. In this paper, we focus our attention on 
the properties of SAC, nonlinearity, and differ- 
ential characteristics. 

IV. S-box Design 

In this section we discuss how S-boxes may be 
selected to provide the cryptographic properties 
of interest. 

An important S-box property which is useful 
in improving resistance to differential crypt- 
analysis (by decreasing differential character- 
istic probabilities) is the rapid diffusion of bit 
changes [16] [17] [12], (A simple example of S- 
box diffusion is the property that a one bit input 
change results in two or more output changes. 
We reifer to this as first order diffusion and it is 
interesting to note that the DES S-boxes sat- 
isfy this property. Higher order diffusion is 
also possible [12].) As well, several authors 
[18][19][20] have suggested that selecting S- 
boxes with low probability XOR differential 
pairs is useful in ensuring low probability char- 
acteristics. In [17], O'Connor illustrates that for 
large the maximum XOR pair probability, ps, 
is expected to be small, pe < n/2"~^ 



0.60 




Rounds 

Figure 2. Experimental SAC 
for Different S-box Types 

We propose selecting S-boxes to satisfy both 
diffusion and small XOR pair probabilities. In 
consideration of O'Connor's result, we have 
found that this is most easily done for large S- 
boxes. (Our experiments have involved S-boxes 
for which n < 8.) We have discovered that 8x8 
S-boxes satisfying good diffusion characteristics 
may be efficiently selected using a depth-first- 
search algorithm. Among the S-boxes generated 
with good diffusion, it was easy to find S-boxes 
which were highly nonlinear (NL > 96) and 
satisfied ps < 2~^. Consider the following 
example. 

Example 1: For an 8-round SPN, using 8x8 8- 
boxes which satisfy first order diffusion with NL > 
96 and ps < 2~^, using reasonable assumptions 
about the permutations, it can be shown [12] that the 
minimum number of chosen plaintexts required for 
differential cryptanalysis is No ^ 2'**^ and the num- 
ber of known plaintexts required for linear crypt- 
analysis is Nl ^ 2^^. For a 64-bit block cipher 
using a 40-bit key, this SPN provides a reasonable 
level of security when compared to the 2^^ key trials 
required in an exhaustive key search. 

We consider that an SPN is stronger in relation 
to a criterion when fewer rounds are required 
to reasonably achieve the criterion. Using this 
definition of cryptographic strength, we have 
discovered that 

(1) large S-boxes strengthen an SPN's SAC 
properties and 
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(2) strong diffusion characteristics strengthen 
an SPN's SAC properties (particularly for 
small S-boxes) 

These conclusions are supported analytically in 
[21] and experimentally by the results presented 
in Figure 2. The curves of Figure 2 illustrate 
the probabihty of a ciphertext bit change as a 
function of the number of rounds in the net- 
work. The curves represent experimental data 
obtained for 64-bit SPNs using optimal per- 
mutations [21] and different sized S-boxes ran- 
domly selected to satisfy first order diffusion. 
The results presented are based on 10^ randomly 
selected plaintexts and, if SAC was perfectly 
satisfied, we would expect the probability to be 
1/2. 



V, S-box Interconnection 

In this section, we consider improving the se- 
curity of an SPN by replacing the permutation 
between rounds of S-boxes with a suitable in- 
vertible linear transfonnation. Consider, for ex- 
ample, a linear transformation such as 



V = 7r(£(U)) 



(1) 



where V = [Vi V2 ^'W] is the vector of input 
bits to a round of S-boxes, U = [Ui U2 ... Ui^] 
is the vector of bits from the previous round 
output, C{\5) = [Ii(U) ... Lyv(U)] is a diffu- 
sive invertible linear transformation, and w is 
a permutation such that no two outputs of an 
S-box are connected to one S-box in the next 
round. The transformation L,(U) is given by 



I,(U) = U^®Q 



(2) 



where Q = Ui ® U2 ® ® Un- 
Using such a transformation between rounds of 
S-boxes is useful in promoting rapid diffusion 
of bit changes. Let ija represent the number of 
bit changes in vector U and riv represent the 




Figure 3. Experimental SAC 
for Linear Transformation 

number of bit changes in vector V. It can be 
shown [21] that 



_ (VU 
-\N- 



^rjij even 
VU 1 VU odd. 



(3) 



Hence, a differential with a small, odd number 
of bit changes is translated into a differential 
with a large number of bit changes, whereas dif- 
ferentials with even changes remain unaffected. 
For example, if iV = 64, a one bit change from 
the output of round r is translated into a 63 bit 
change to the input of round r + L 
It can be shown [12] that the diffusion of bit 
changes by the linear transformation is useful 
in decreasing the upper bound on the differ- 
ential characteristic probability when S-boxes 
are used which have no diffusion. As well, it 
may be demonstrated [12] that using such a lin- 
ear transformation, the effectivenss of a linear 
approximation to the overall cipher can be de- 
creased by requiring a larger number of S-box 
linear approximations to be included in the sys- 
tem linear expression. 

Example 2: For an 8-round SPN, using 8x8 
S-boxes which satisfy second order diffusion with 
NL > 96 and ps < and using the linear trans- 
formation of (1), it can be shown [12] that No ^ 
and Nl ^ 2^^, Note that, for a 64-bit SPN using 
a 64-bit key, the level of security is comparable to 
DES (with a 56-bit key) which has No ^ 2^^ and 
Ni, % 2"*^ and is reasonable when compared to tlie 
2^^ key trials required by exhaustive key search. 
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The diffusive effect of the linear transformation 
of (1) is also useful in strengthening the SAC 
properties of the SPN. Figure 3 illustrates the 
probability of a ciphertext bit change as a func- 
tion of the number of network rounds based on 
10^ experimental plaintexts for a 64-bit SPN 
with different sized S-boxes, 

VL Key Scheduling 

The keying mechanism is an important aspect 
of block cipher security. We recommend the 
application of a rotating key, that the sub-key 
applied at each round is unique, and that all 
key bits are applied as early as possible in the 
•network. 

It is interesting to note that the SPN struc- 
ture considered in this paper is immune to the 
related-keys attack presented in [22]. In DES- 
like ciphers the related-keys attack exploits the 
half block of ciphertext that comes directly from 
the output of the previous round. In a basic 
SPN, it is not possible to examine the input to 
any round, thereby preventing any exploitation 
of the relationship between the sub-keys of con- 
secutive rounds. 

A block cipher is said to have a "weak" key 
if encryption using the key is equivalent tQ de- 
cryption using the same key. That is, double 
encryption of the plaintext results in the orig- 
inal plaintext. Since decryption does not use 
the same substitutions (the inverse S-boxes are 
used), the basic SPN structure has the advan- 
tage that there are no obvious weak keys. The 
keying structure itself has no apparent tendency 
to allow weak keys. 

VII. Conclusions 

In this paper, we have suggested that the basic 
SPN structure, motivated by Shannon and in- 
troduced by Feistel, is an elegant structure for 
the design of secure block ciphers. The ease 



of randomly selecting large S-boxes that sat- 
isfy good diffusion and nonlinearity properties, 
combined with the simplicity of analyzing the 
network structure, support the use of such SPNs 
as the basis for secure block ciphers. 
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